gnur / Tobab
Licence: mit
tobab: the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab
Stars: ✭ 122
Programming Languages
go
31211 projects - #10 most used programming language
Projects that are alternatives of or similar to Tobab
Memento
Memento is a development-only tool that caches HTTP calls once they have been executed.
Stars: ✭ 380 (+211.48%)
Mutual labels: hacktoberfest, proxy
Angular Auth Oidc Client
npm package for OpenID Connect, OAuth Code Flow with PKCE, Refresh tokens, Implicit Flow
Stars: ✭ 577 (+372.95%)
Mutual labels: hacktoberfest, identity
Ssl Proxy
🔒 Simple zero-config SSL reverse proxy with real autogenerated certificates (LetsEncrypt, self-signed, provided)
Stars: ✭ 427 (+250%)
Mutual labels: proxy, letsencrypt
Tor Socks Proxy
🐳 Tiny Docker(🤏 10MB) image as 🧅 Tor SOCKS5 proxy 🛡
Stars: ✭ 218 (+78.69%)
Mutual labels: hacktoberfest, proxy
Axios Module
Secure and easy axios integration with Nuxt.js
Stars: ✭ 998 (+718.03%)
Mutual labels: hacktoberfest, proxy
Kratos
Next-gen identity server (think Auth0, Okta, Firebase) with Ory-hardened authentication, MFA, FIDO2, profile management, identity schemas, social sign in, registration, account recovery, and IoT auth. Golang, headless, API-only - without templating or theming headaches.
Stars: ✭ 4,684 (+3739.34%)
Mutual labels: hacktoberfest, identity
Nginx Le
Nginx with automatic let's encrypt (docker image)
Stars: ✭ 475 (+289.34%)
Mutual labels: proxy, letsencrypt
Letsencrypt Zimbra
Files to automate the deploy of letsencrypt certificates to Zimbra
Stars: ✭ 138 (+13.11%)
Mutual labels: hacktoberfest, letsencrypt
Pizzly
The simplest, fastest way to integrate your app with an OAuth API 😋
Stars: ✭ 796 (+552.46%)
Mutual labels: hacktoberfest, proxy
Ceryx
Dynamic reverse proxy based on NGINX OpenResty with an API
Stars: ✭ 688 (+463.93%)
Mutual labels: proxy, letsencrypt
Web Worker Proxy
A better way of working with web workers
Stars: ✭ 218 (+78.69%)
Mutual labels: hacktoberfest, proxy
Madelineproto
Async PHP client/server API for the telegram MTProto protocol
Stars: ✭ 1,776 (+1355.74%)
Mutual labels: hacktoberfest, proxy
Otoroshi
Lightweight api management on top of a modern http reverse proxy
Stars: ✭ 177 (+45.08%)
Mutual labels: hacktoberfest, proxy
Socks5
A full-fledged high-performance socks5 proxy server written in C#. Plugin support included.
Stars: ✭ 286 (+134.43%)
Mutual labels: hacktoberfest, proxy
Nginxconfig.io
⚙️ NGINX config generator on steroids 💉
Stars: ✭ 14,983 (+12181.15%)
Mutual labels: hacktoberfest, letsencrypt
Product Is
Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Stars: ✭ 435 (+256.56%)
Mutual labels: hacktoberfest, identity
Django Init
Project template used at Fueled for scaffolding new Django based projects. 💫
Stars: ✭ 126 (+3.28%)
Mutual labels: hacktoberfest, letsencrypt
Cls Proxify
Logging on steroids with CLS and Proxy. Integrated with express, koa, fastify.
Stars: ✭ 132 (+8.2%)
Mutual labels: hacktoberfest, proxy
Multitor
Create multiple TOR instances with a load-balancing.
Stars: ✭ 624 (+411.48%)
Mutual labels: proxy, identity
Class Logger
Boilerplate-free decorator-based class logging
Stars: ✭ 64 (-47.54%)
Mutual labels: hacktoberfest, proxy
tobab
tobab: an opinionated poor mans identity-aware proxy, easy to use setup for beyondcorp in your homelab
It allows you to connect one or more identity providers (currently, only google is supported) and grant access to backends based on the identity of the user.
goals
- Easy to use (single binary with single config file)
- Secure by default (automatic https with letsencrypt, secure cookies)
- Sane defaults (No public access unless explicitly added)
non-goals
- Extreme security
- Reliability (web server restarts whenever a route is added / modified / deleted)
- Customization
- Pretty
wishlist (not implemented yet)
- openID connect integration
- docker integration (use the docker API to determine containers to route traffic into)
- docker builds
- full integration test suite that can run every night
- admin UI that shows all seen users, shows routes and allows you to edit routes
- metrics
getting started
- download an appropriate release from the releases page
- place a
tobab.tomlfile somewhere and set the env varTOBAB_CONFIGvar to that location - configure the google key and secret by creating a new oauth application
- make sure port 80 and port 443 are routed to the host you are running it on
- start tobab with appropriate permissions to bind on port 80 and 443
- add routes using the CLI or the API
- ???
- profit
example config file
hostname = "login.example.com" #hostname where the login occurs
cookiescope = "example.com"
secret = "some-secret"
salt = ""
certdir = "path to dir with write access"
email = "[email protected]"
googlekey = "google id"
googlesecret = "google secret"
loglevel = "debug" #or info, warning, error
databasepath = "./tobab.db"
adminglobs = [ "*@example.com" ] #globs of email addresses that are allowed to use the admin API
cli
Usage: tobab <command>
Flags:
-h, --help Show context-sensitive help.
--debug
-c, --config=STRING config location
Commands:
run
start tobab server
validate
validate tobab config
host list
list all hosts
host add --hostname=STRING --backend=STRING --type=STRING
add a new proxy host
host delete --hostname=STRING
delete a host
version
print tobab version
token create --email=STRING --ttl=STRING
generate a new token
token validate --token=STRING
Get fields from a token
Run "tobab <command> --help" for more information on a command.
examples
# add a host to listen on test.example.com that proxies all requests to 127.0.0.1:8080
# please be aware, if you add a host that isn't public it should have the same suffix as the cookie scope!
tobab host add --hostname=test.example.com --backend=http://127.0.0.1:8080 --type=http --public
# list hosts
tobab host list
# delete a host
tobab host delete --hostname=test.example.com
# manually create an access token (useful for automation, see automation below)
tobab token create --email=<email> --ttl="800h"
# validate a token (and get information)
tobab token validate --token=<token>
api calls
example api call to add a route that only allows signed in users with an example.com email address
# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
{
"Hostname": "route.example.com",
"Backend": "https://example.com",
"Type": "http",
"Public":false,
"Globs": [ "*@example.com" ]
}
###
example api call to add a route that allows any signed in user
# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
{
"Hostname": "route2.example.com",
"Backend": "https://example.com",
"Type": "http",
"Public":false,
"Globs": [ "*" ]
}
###
example api call to add a route that allows full access without signing in
# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
{
"Hostname": "route2.example.com",
"Backend": "https://example.com",
"Type": "http",
"Public":true,
}
###
example api call to delete a route
# @name delHost
DELETE /v1/api/host/route2.example.com
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
###
automation (stuff like APIs)
If you have an api running behind tobab, it is possible to manually issue tokens and add them to the headers manually. Combine the info in the readme about the example API calls and the example CLI commands to see how to do just that :).
acknowledgements
This project could hot have been what it is today without these great libraries:
- github.com/gorilla/mux excellent light weight request router
- github.com/markbates/goth library that handles all third party authentication stuffs
- github.com/caddyserver/certmagic letsencrypt made very, very easy
- github.com/sirupsen/logrus logging library that is perfect
- github.com/asdine/storm embedded database built upon bolt which makes persistence very easy
alternatives
- Combine github.com/traefik/traefik with a forward auth provider like github.com/gnur/beyondauth or github.com/thomseddon/traefik-forward-auth
- Combine github.com/oauth2-proxy/oauth2-proxy with some kind of certificate maintenance service like github.com/certbot/certbot
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].